Between Two Worlds: An Interview with Reverse Engineer Eric Klonowski

This week, I’ll be at Black Hat USA 2018 in Las Vegas. If you’ve ever been to Black Hat, then you know all about the flood of information and how hard it can be to take it all in. This year’s presentations will range from the newest trends in browser exploits, bots, and social engineering attacks, to the security status quo and how legal policies shape information security. And it’s anyone’s guess what the hottest topics around the water cooler will look like. To prepare, I reached out to Eric Klonowski, Principal Reverse Engineer at Webroot, to shed some light on his role at Webroot and what he and his peers bring to a major industry event like Black Hat.

Below is our interview, edited for length.

Tyler: Eric, tell us why a role like yours is valuable to security companies.

Eric: If you want to be successful in any industry, you have to have someone who understands the problems, down to the details, that your product is supposed to solve. That’s what I do. I work to understand threats, threat actors, and the malware that’s proliferating to help seal off the vulnerabilities they exploit and prevent attacks.

How has your role at Webroot evolved over time?

When I first came on board in 2015, my role was about 70 percent research, 30 percent development. Now, it’s more like 10 percent research and 90 percent development. We have to stay on top of the latest and greatest invasive techniques. That means we’re doing a lot of development. We have a staff reverse engineer who takes malware apart to write software that will block it better.

It’s not a regular 9-5. I’m a security nut and this work fascinates me, so it’s always on my mind.

It probably helps in your line of work to be able to think like a hacker, except you’re one of the good guys. What’s it like to live in that duality each day?

First off, “hacker” is our word. You don’t use that word.

Whoa.

I’m kidding. But let’s take a second to talk about “hacking.” Back when I was getting proficient at software development, I hung out in hacker forums that were full of people who would use basically copy and paste someone else’s malware to break into systems. I have no respect for that. It doesn’t take any skill or smarts.

The ethical piece aside, I do have respect for people who develop exploits and sophisticated malware. What they do is very similar to what I do. We’re both trying to solve the same problems creatively, efficiently, and effectively. We’re just coming at it from different sides, and with a different goal in mind. So yes, you could call me a hacker, but I’d say I’m a “white hat.”

It’s always fun to poke around and see what you can do, but you do have to know when to draw the line. Sometimes, researching malware is like being a vigilante; you report what you see and make the compromised locations known.

How quickly does your team have to act when they discover a new threat?

Our pace can vary widely, but when we discover a new threat, we try to crush it quickly. We have to move fast to hand our research and development work to the product team so they can integrate a mitigation strategy into our product. For instance, with the WannaCry ransomware attack last year, my phone was buzzing like crazy before I even got out of bed. Some days are like that.

When other researchers release a report of a new malware variant or zero-day, we crack it open and try to get a better understanding of how it might spread. As an example, if we’re examining ransomware, we want to observe the encryption mechanisms it contains. In a way, we look to see if the author made any mistakes.

What types of tools do you use in reverse engineering?

By name, I typically utilize IDA, which is the industry standard. I also rely pretty heavily on WinDBG. When it comes down to it, those tools make your job easier. But someone in my position can use a pretty wide variety of tools to disassemble software and extrapolate what they are looking for.

You once told me reverse engineering was the “ultimate puzzle.” How did you discover this type of work?

I’ve always liked taking things apart and making them work better, and I started writing code when I was nine or 10. Later, I was hired as an intern for a defense contractor and had to do a lot of security-related research and software development. That’s really where it started, and I chose to stay on full-time for a few years. Until then, I was self-taught and didn’t really understand software on a large scale, but I learned so much about development from the people I was working with. I also worked on a lot of personal projects that propelled me forward on this path.

Where there any “aha moments” for you that made you decide this was the right career?

When I started at Webroot and became familiar with how the product functioned, I was pretty excited to see that we really do a great job here. We offer such a great product; the challenge to continue to make it better each day pretty motivating. And I’m very fortunate to have found a way to get paid to do something that’s always been a hobby I love.

Eric, thanks for the interview! I know we’re grateful you’re on our team at Webroot.

About the Author

Senior Threat Research Analyst

Tyler Moffitt is a Senior Threat Research Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

“The main fear here is the keychain dump (particularly scary). We are constantly adding new detection criteria to our threat database, and SecureAnywhere for Mac protects against infections that could use this vulnerability.” - #Webroot's Matthew Carman https://t.co/QaPqM79Cr7